Single market chief Frits Bolkestein says the European Commission is now “looking into this as a matter of priority” and is working with national data protection authorities to check the system’s “compatibility – or not – with EU data protection law”.

The Dutch commissioner is focusing on the company’s free ‘.Net Passport’ service – designed to enable web surfers to move quickly and easily among secure sites, such as online shops or banks, without having to supply similar confidential user information each time.

The probe follows claims that .Net Passport is set up to continually mine web users’ personal data behind their backs – to pass on to websites participating in the scheme. Bolkestein says investigators are checking whether customers were asked to give their consent for transfers of sensitive data – and whether national watchdogs were notified in line with the rules.

The investigation adds to the woes of the world’s biggest software company – which could face huge anti-trust fines and changes to its sales practices for the Windows operating system. Bolkestein’s fellow Dutchman, MEP Erik Meijer, has presented the Commission with a catalogue of allegations over the service.

He said a “vast quantity of personal information is surreptitiously passed on to unknown parties, by, in particular, [Microsoft’s] Hotmail address owners without their noticing it”.

Meijer said data are also trawled from users of popular sites such as chat site MSN Messenger, the travel site Expedia.com, auction site QXL, hotel chain Hilton.com and web community MSN Communities.

He says failure to register with .Net Passport results in exclusion from many site’s services; that only out-of-date information is deleted from data files on users; that unsubscribing is impossible and that it allows passwords with as few as six characters.

Meijer adds that customers at internet cafés and students in universities could even unwittingly pass on private data to other users if they fail to log off correctly.

In a statement to European Voice, Microsoft’s lawyers defended the service.

“This description of .NET Passport is not accurate,” they say, adding that Microsoft is “working to ensure that Passport complies” with the requirements of the EU’s strict 1995 data protection directive.

They argued that it is “not clear” whether the law applies to data on EU citizens shared directly with a website outside Europe.

The directive, under review this year, can ban exports of data between the EU and countries, such as the US, where data privacy regimes are deemed to be inadequate.

Microsoft is a member of the ‘safe harbour’ scheme designed to allow US companies to export data on EU citizens to America provided they apply tough data protection measures in return.